StormITSolutions wrote:Has anyone managed a good way of masking the API password, We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.

Build a web interface on a secure computer just for your bankers with some kind of login system that only they can access. That interface uses server-side scripting like PHP to communicate with the game server's API. The bankers will not be able to see that communication and thus won't know what the API password is.

I have tried alot of methods but packet sniffers are still picking up the API password.Looking into the password being stored in a remote server database and the php app calling the password from the bankers command after the submission on a remote banker site.

That way the call is done after on another server so packet sniffers cant pick it up.A more roundabout way of doing it so I thought I would ask if others had a workaround or shall i just get stuck into the code.

I may be over complicating it as ive been told in the past I cant see the forest for the treesAL

It's not a scenario we are currently using, but I'm crossing all the T's and dotting the i's for future use.At the moment the bankers are on the same network as the server.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets, I know this is normally the case but API is something im fairly new too.

Only started integrating API into my software to sync servers so not 100% sure of its application in this sense.

StormITSolutions wrote:At the moment the bankers are on the same network as the server.

Well that would be an issue if they have physical access to your own computers.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets

They could see the packets if they had access to the sending or receiving computer. I'm not sure about inside a LAN but I suspect if they had access to the router it might be possible there also since all the network traffic would flow through it.

One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.

Kent Briggs wrote:One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.